<?php

// --------------------------------------------------------------------- //
// FLASH                                                                 //
// Edit a record V1.01 build 20020529                                    //
// --------------------------------------------------------------------- //
// IN: username, action = "read"/"apply"                                 //
// OUT: username,password1, password2,firstname,surname,email,company,   //
//      address, telephone, admin, active, expiry, module                //
// --------------------------------------------------------------------- //
// NOTES: - you may need to edit the $changelogFile variable to point to //
//          a directory with read/write access for PHP                   //
//        - currently logged-in administrator can't change his own       //
//          status, security level or limit account expiration           //
//        - the username "admin" acts as a 'root' and can be edited only //
//          by admin himself                                             //
// --------------------------------------------------------------------- //

    // connection variables -----------------------------------------------
    $mysqlServer   = "66.226.14.61";
    $mysqlUser     = "timescape";
    $mysqlPassword = "ducati748";
    $mysqlDatabase = "timescape";
    $mysqlTable    = "german";

    $changelogFile = "./logs/changes.txt";
    $changelogSize = 1000;

    // generic error messages ---------------------------------------------
    $errorConnect     = 'Unable to connect to database server.';
    $errorConnectdb   = 'Unable to use the database.';
    $errorQuery       = 'Error while accessing the database. It may be corrupted.';
    $errorIdentity    = 'Error while establishing your identity.';
    $errorNoUser      = 'No username was supplied.';
    $errorRetrieve    = 'Error retrieving information.';
    $errorUpdate      = 'Error saving information.';

    $errorNoPassword  = 'The Password field may not be empty';
    $errorPasswords   = 'The passwords submitted do not match';
    $errorPassLength  = 'The password must be between 6 and 10 characters long';
    $errorNoFirstName = 'First Name is required';
    $errorNoSurname   = 'Surname is required';
    $errorNoAdmin     = 'Security Level is required';
    $errorNoActive    = 'Account Status is required';
    $errorNoExpiry    = 'Account Expiration is required';
    $errorNoModule    = 'Access Module is required';
    $errorStatus      = 'You may not change your own status';
    $errorExpiry      = 'You may not limit your account expiration';
    $errorAdmin       = 'This account can be edited only by its owner';

    $msgRetrieve      = 'Details successfully retrieved';
    $msgUpdate        = 'Details successfully updated';

    // Append the Log File ------------------------------------------------
    function appendChangeLog($action)
    {
        global $changelogFile, $changelogSize, $inputUser, $HTTP_SERVER_VARS;
        $userIP    = $HTTP_SERVER_VARS['REMOTE_ADDR'];
        $timeStamp = date("Y-m-d,H:i:s");
        $logEntry  = "$userIP,$inputUser,$timeStamp,$action\r\n";

        if ((@file_exists($changelogFile)) && (@filesize($changelogFile)<$changelogSize))
            $fp = @fopen($changelogFile, "a");
        else
            $fp = @fopen($changelogFile, "w");
        if ($fp != false)
        {
            @flock($fp, LOCK_EX);
            @fwrite($fp, $logEntry);
            @fclose($fp);
        }
    }

    // retrieve session variables if they exist ---------------------------
    session_start();
    $inputUser  = isset($HTTP_SESSION_VARS['inputUser']) ? $HTTP_SESSION_VARS['inputUser'] : "";
    $inputPass  = isset($HTTP_SESSION_VARS['inputPass']) ? $HTTP_SESSION_VARS['inputPass'] : "";

    // MySQL queries ------------------------------------------------------
    $verifyAdminQuery = "SELECT
                         admin, active
                         FROM $mysqlTable
                         WHERE username='$inputUser' AND password='$inputPass'";

    // connect to database ------------------------------------------------
    $dblink = @mysql_connect($mysqlServer, $mysqlUser, $mysqlPassword);
    if ($dblink == false)
    {
        echo "&edit=false&message=$errorConnect&";
        exit;
    }

    if (@mysql_select_db($mysqlDatabase) == false)
    {
        echo "&edit=false&message=$errorConnectdb&";
        exit;
    }

    // verify that the logged-in user is administrator/active -------------
    $resultQuery = @mysql_query($verifyAdminQuery);
    if ($resultQuery == false)
    {
        echo "&edit=false&message=$errorIdentity&";
        exit;
    }
    $numberOfUsers = mysql_num_rows($resultQuery);
    if ($numberOfUsers != 1)
    {
        echo "&edit=false&message=$errorIdentity&";
        exit;
    }
    $security = mysql_fetch_array($resultQuery);
    if (($security['admin'] != 'Y') || ($security['active'] != 'Y'))
    {
        echo "&edit=false&message=$errorIdentity&";
        exit;
    }

    // retrieve new user values if they were submitted previously ---------
   $sameUser  = false;
   $username  = "";
   $password1 = "";
   $password2 = "";
   $firstname = "";
   $surname   = "";
   $email     = "";
   $company   = "";
   $address   = "";
   $telephone = "";
   $admin     = "";
   $active    = "";
   $expiry    = "";
   $module    = "";

   // should we change the details or just retrieve them? -----------------
   if (isset($HTTP_GET_VARS['action']))
       if ($HTTP_GET_VARS['action'] == "apply")
           $action = "apply";
       else $action = "read";
   else
       $action = "read";

    // test for username --------------------------------------------------
    if (!isset($HTTP_GET_VARS['username']))
    {
        echo "&edit=false&message=$errorNoUser&";
        exit;
    }
    elseif (($HTTP_GET_VARS['username'] == "admin") && ($inputUser != "admin"))
    {
        echo "&edit=false&message=$errorAdmin&";
        exit;
    }
    $username = $HTTP_GET_VARS['username'];

    // retrieve new user values if they were submitted previously ----------
    if ($action == "apply")
    {
        // do we need to update the stored session passsword?
        if ($username == $inputUser)
            $sameUser = true;

        // test for passwords ---------------------------------------------
        if ((!isset($HTTP_GET_VARS['password1'])) || (!isset($HTTP_GET_VARS['password2'])))
        {
            echo "&edit=false&message=$errorNoPassword&";
            exit;
        }
        elseif ($HTTP_GET_VARS['password1'] != $HTTP_GET_VARS['password2'])
        {
            echo "&edit=false&message=$errorPasswords&";
            exit;
        }
        elseif ((strlen($HTTP_GET_VARS['password1'])<6) || (strlen($HTTP_GET_VARS['password1'])>10))
        {
            echo "&edit=false&message=$errorPassLength&";
            exit;
        }
        else
        {
            $password = $HTTP_GET_VARS['password1'];
            if ($sameUser)
            {
                $inputPass = $password;
                session_unregister("inputPass");
                session_register("inputPass");
                $HTTP_SESSION_VARS['inputPass'] = $inputPass;
            }
        }

        // test for first name --------------------------------------------
        if ((!isset($HTTP_GET_VARS['firstname'])) || (strlen($HTTP_GET_VARS['firstname'])<1))
        {
            echo "&edit=false&message=$errorNoFirstName&";
            exit;
        }
        else
            $firstname = $HTTP_GET_VARS['firstname'];

        // test for surname -----------------------------------------------
        if ((!isset($HTTP_GET_VARS['surname'])) || (strlen($HTTP_GET_VARS['surname'])<1))
        {
            echo "&edit=false&message=$errorNoSurname&";
            exit;
        }
        else
            $surname = $HTTP_GET_VARS['surname'];

        // test for admin status ------------------------------------------
        if (!isset($HTTP_GET_VARS['admin']))
        {
            echo "&edit=false&message=$errorNoAdmin&";
            exit;
        }
        elseif (($HTTP_GET_VARS['admin'] != "Y") && ($HTTP_GET_VARS['admin'] != "N"))
        {
            echo "&edit=false&message=$errorNoAdmin&";
            exit;
        }
        elseif (($sameUser) && ($HTTP_GET_VARS['admin'] == "N"))
        {
            echo "&edit=false&message=$errorStatus&";
            exit;
        }
        else
            $admin = $HTTP_GET_VARS['admin'];

        // test for active status ------------------------------------------
        if (!isset($HTTP_GET_VARS['active']))
        {
            echo "&edit=false&message=$errorNoActive&";
            exit;
        }
        elseif (($HTTP_GET_VARS['active'] != "Y") && ($HTTP_GET_VARS['active'] != "N"))
        {
            echo "&edit=false&message=$errorNoActive&";
            exit;
        }
        elseif (($sameUser) && ($HTTP_GET_VARS['active'] == "N"))
        {
            echo "&edit=false&message=$errorStatus&";
            exit;
        }
        else
            $active = $HTTP_GET_VARS['active'];

        // test for module ------------------------------------------------
        if (!isset($HTTP_GET_VARS['module']))
        {
            echo "&edit=false&message=$errorNoModule&";
            exit;
        }
        else
            $module = $HTTP_GET_VARS['module'];

        // test for expiry ------------------------------------------------
        if (!isset($HTTP_GET_VARS['expiry']))
        {
            echo "&edit=false&message=$errorNoExpiry&";
            exit;
        }
        elseif (($HTTP_GET_VARS['expiry']<0) && ($sameUser))
        {
            echo "&edit=false&message=$errorExpiry&";
            exit;
        }
            $expiry = $HTTP_GET_VARS['expiry'];

        // get the optional data ------------------------------------------
        if (isset($HTTP_GET_VARS['email']))
            $email = $HTTP_GET_VARS['email'];

        if (isset($HTTP_GET_VARS['company']))
            $company = $HTTP_GET_VARS['company'];

        if (isset($HTTP_GET_VARS['address']))
            $address = $HTTP_GET_VARS['address'];

        if (isset($HTTP_GET_VARS['telephone']))
            $telephone = $HTTP_GET_VARS['telephone'];

        $updateQuery = "UPDATE $mysqlTable SET
                        password  = '$password',
                        firstname = '$firstname',
                        surname   = '$surname',
                        email     = '$email',
                        company   = '$company',
                        address   = '$address',
                        telephone = '$telephone',
                        admin     = '$admin',
                        active    = '$active',
                        expiry    = expiry+ INTERVAL $expiry DAY,
                        module    = '$module'
                        WHERE username = '$username'";

        $resultQuery = mysql_query($updateQuery);
        if ($resultQuery == false)
        {
            echo "&edit=false&message=$errorUpdate&";
            exit;
        }

        appendChangeLog("Edited data for user $username");
    }

    // retrieve data (already saved or not) -------------------------------

    $retrieveQuery = "SELECT
                      username,
                      password,
                      firstname,
                      surname,
                      email,
                      company,
                      address,
                      telephone,
                      admin,
                      active,
                      expiry,
                      module
                      FROM $mysqlTable
                      WHERE username='$username'";

    $resultQuery = @mysql_query($retrieveQuery);
    if ($resultQuery == false)
    {
        echo "&edit=false&message=$errorRetrieve&";
        exit;
    }
    $numberOfUsers = mysql_num_rows($resultQuery);
    if ($numberOfUsers != 1)
    {
        echo "&edit=false&message=$errorRetrieve&";
        exit;
    }

    $row = mysql_fetch_array($resultQuery);
    $username  = isset($row['username'])  ? rawurlencode($row['username'])  : "";
    $password  = isset($row['password'])  ? rawurlencode($row['password'])  : "";
    $firstname = isset($row['firstname']) ? rawurlencode($row['firstname']) : "";
    $surname   = isset($row['surname'])   ? rawurlencode($row['surname'])   : "";
    $email     = isset($row['email'])     ? rawurlencode($row['email'])     : "";
    $company   = isset($row['company'])   ? rawurlencode($row['company'])   : "";
    $address   = isset($row['address'])   ? rawurlencode($row['address'])   : "";
    $telephone = isset($row['telephone']) ? rawurlencode($row['telephone']) : "";
    $admin     = isset($row['admin'])     ? $row['admin']                   : "";
    $active    = isset($row['active'])    ? $row['active']                  : "";
    $expiry    = isset($row['expiry'])    ? $row['expiry']                  : "";
    $module    = isset($row['module'])    ? $row['module']                  : "";

    echo "&edit=true&\n";
    if ($action == "apply")
        echo "&message=$msgUpdate&\n";
    else
        echo "&message=$msgRetrieve&\n";

    echo "&username=$username&\n";
    echo "&password1=$password&\n";
    echo "&password2=$password&\n";
    echo "&firstname=$firstname&\n";
    echo "&surname=$surname&\n";
    echo "&email=$email&\n";
    echo "&company=$company&\n";
    echo "&address=$address&\n";
    echo "&telephone=$telephone&\n";
    echo "&admin=$admin&\n";
    echo "&active=$active&\n";
    echo "&expiry=$expiry&\n";
    echo "&module=$module&\n";
?>